Guidelines for the whistleblowing function

Introduction

Parkit is required by owners, investors, the board and customers to comply with applicable laws and regulations and to have good business ethics. Parkit's code of conduct, which has been adopted by the board and covers all employees, includes rules and guidelines on business ethics. Our employees play a key role in identifying any deviations from our values and code of conduct.

Our whistleblowing service provides an opportunity to report suspicions of serious irregularities.

The whistleblowing service is important to mitigate risk and promote high business ethics, thereby maintaining customer and public confidence in our business. Whistleblower reports can be submitted openly or anonymously.

The purpose of these guidelines is to enable employees to report suspicions of non-compliance with our business ethics guidelines, without risk of retaliation.

When can the whistleblowing service be used?

The service gives all employees (and the public) an opportunity to report serious risks, which could harm individuals, Parkit or the environment, such as:

irregularities relating to accounting, internal accounting controls, auditing, anti-bribery, banking and financial crime, or other serious irregularities affecting the vital interests of the company or group or the life and health of individuals, such as serious environmental crimes, major deficiencies in workplace safety and very serious forms of discrimination and harassment.

For issues related to workplace dissatisfaction, please contact your line manager or a representative of the Executive Board.

A whistleblower does not need to have evidence to report his or her suspicions. However, no allegations may be made with malicious intent or with knowledge that the allegation is false.

As a result of the legislation in force, only personal data relating to offences committed by key persons or persons in a leading position are processed.

How can the whistleblowing service be used?

If an employee suspects a departure from our values or business ethics guidelines, there are ways to report it. See options 1-3 below.

• Option 1: Contact a manager within our organization
• Option 2: Contact a member of the whistleblowing working group, i.e. Head of HR, Head of Finance and General Counsel.
• Option 3: Report anonymously through the whistleblowing service.

Option 3 (report anonymously)

If an employee wishes to report anonymously, this is possible through the external web-based reporting channel. Reports and subsequent dialog between Parkit and the whistleblower are encrypted and password protected. The whistleblowing service is managed by Parkit and we do not store metadata and cannot trace the IP address of a whistleblower.

The service offers the possibility of dialog between Parkit's whistleblowing working group and an anonymous whistleblower.

Investigation process

Responsibilities and accountabilities

Only the Parkit Whistleblowing Working Group has access to reports received through our anonymous reporting channel.

The team consists of the Chief Financial Officer, the Head of Human Resources and the General Counsel. All persons are bound by confidentiality agreements which ensure the confidential handling of whistleblower cases. In the course of an investigation, persons bringing information or expertise may be included. These persons are also bound by confidentiality.

Receipt of reports

Upon receipt of a report, the whistleblowing service decides whether to accept or reject the report in accordance with the applicable legislation. If the report is accepted, appropriate measures are taken to investigate. See "investigation" below.

The Working Party may refuse to receive a report if:

the report does not fall within the scope of what can be reported in a whistleblowing service,
the report has not been made in good faith or is malicious, there is insufficient information to investigate the matter, or the matter to which the report relates has already been addressed.

Privacy-sensitive information, such as information on political or religious affiliation or sexual orientation, should not be included in an investigation based on a whistleblowing report.

Investigation

All whistleblower reports are treated seriously and in accordance with these guidelines.

Reports are handled confidentially. A report is not investigated by anyone concerned or involved in the case. If necessary, the Parkit service working group can send follow-up questions to the whistleblower through the anonymous reporting channel. The anonymous dialog is enabled by Parkit's service provider.

None of the persons in charge of the service or any other person involved in the investigation process will try to identify the whistleblower.

Whistleblower protection in open reporting

A whistleblower who expresses a genuine concern or suspicion in accordance with these guidelines does not risk losing his or her job or suffering any form of sanction or personal disadvantage as a result of his or her report. It does not matter if the suspicion turns out to be false, provided that the whistleblower has acted in good faith.

Where the whistleblower chooses to reveal his or her identity, he or she will be informed of the progress of the investigation, unless it is inappropriate to do so in view of the privacy and other confidentiality issues of the whistleblower.

In cases of suspected crime, the whistleblower will be informed that his or her identity may be disclosed during the court proceedings.

Protection of, and information to, a person identified in a whistleblowing report

The data subject has the right of access to data concerning him/herself and may request amendments if the information is inaccurate, incomplete or out of date. This right is subject to obstruction of the investigation or destruction of evidence.

Erasure of data

Personal data included in a whistleblowing service is deleted at the end of the investigation. Erasure takes place within one month (30 days) after the investigation is completed. The documentation from reports and investigations that is kept must not contain personal data by which persons can be directly or indirectly identified.

Legal basis for the guidelines

These guidelines are based on the Swedish Personal Data Act, PUL and the Swedish Data Protection Authority's guidance for companies on responsibility for personal data handled in whistleblowing systems. DIFS 2010:1.

Transfer of personal data outside the EEA

There is a general prohibition on the transfer of personal data from the European Economic Area (EEA) unless specific provisions on the protection of data processing can be guaranteed. These guidelines do not cover any transfer of personal data from the EEA to operators outside the EEA.